Over the last decade, file sharing systems that are accessible over the Internet or other publicly accessible networks have been increasingly targeted for malicious attack. One type of malicious attack may involve an attempt, normally through unsuspected uploading of malicious data (e.g., software, data, command(s), etc.) within content stored within a file sharing system, to infect any or all computers that upload the content. The malicious data, generally referred to as “malware,” may allow a third party to adversely influence or attack normal operations of the computer where the malicious attack is directed to a vulnerability associated with a specific application (e.g., browser application, document reader application, data processing application, etc.).
For instance, it is recognized that the malicious data may include a program or file that is harmful by design to the computing device. The malicious data may include computer viruses, worms, or any other executable (binary) that gathers or attempts to steal information from the computer, or otherwise operates without permission. The owners of the computers are often unaware that the malicious data has been added to their computers and is in operation.
Various processes and devices have been employed to prevent malicious attacks and other security threats on a file sharing system. Previously, security appliances were placed in-line with a storage server in an attempt to detect malware, in the form of an exploit or some sort of malicious software, as it is being routed into the storage server. However, for that deployment, conventional security appliances were required to understand and process packets configured in accordance with a storage protocol supported by a file system utilized by the storage server, where file system storage protocols are highly divergent. In fact, different types of file system may support different storage protocols and even different storage protocols may be used on different versions of the same type of file system. Additionally, the conventional in-line security appliances caused latency in the retrieval of files or other documents from the storage server. This latency adversely influenced the overall user experience provided by the file sharing system.
In fact, a security appliance offered by FireEye, Inc., the assignee of the present patent application, employs a two-phase malware detection approach to analyze files stored on a file system. This security appliance typically runs an analysis by traversing a storage tree to identify files to scan, and comparing the time of the last scan with the last modification of the file to reduce overhead by limiting its analysis to avoid repeating the scans of files not modified since the prior scanning period. It is noted that the complexity of this type of security appliance greatly increases as the storage volumes increase and storage protocols utilized by the file systems change.